Kaspersky Lab discovered the cyber espionage campaign “Red October”

Pierluigi Paganini January 15, 2013

Last October Kaspersky Lab’s Global Research & Analysis Team started a new investigation after several attacks hit computer networks of various international diplomatic service agencies.

The attacks appeared very suspect, a new large scale cyber-espionage operation has been discovered, the operation is dubbed «Red October», a name inspired by famous novel «The Hunt For The Red October» (ROCRA).

The operation was conducted to acquire sensitive information from diplomatic, governmental and scientific research organizations in many countries, mostly of them of Eastern Europe, former USSR members and countries in Central Asia. The campaign hit hundreds of machines belonging to following categories:

  • Government
  • Diplomatic / embassies
  • Research institutions
  • Trade and commerce
  • Nuclear / energy research
  • Oil and gas companies
  • Aerospace
  • Military

Red October

Compared to Aurora and Night Dragon, Rocra is more complex because uses more sophisticated malware able to evade detection during last 5 years while continuing to stealing hundreds of Terabytes by now.

 

Red October

 

Differently from other cyber espionage campaigns discovered in the past, Red October has targeted various devices such as enterprise network equipment and mobile devices (Windows Mobile, iPhone, Nokia), hijacking files from removable disk drives, stealing e-mail databases from local Outlook storage or remote POP/IMAP server and siphoning files from local network FTP servers.

What is upsetting is that evidence collected demonstrate that cyber-espionage campaign was started  since 2007 and is still active. During the last 5 years a huge quantity of data has been collected, the obtained information, such as service credentials, has been reused in later attacks.

The Kaspersky Lab blog post states

“The campaign, identified as “Rocra”, short for “Red October”, is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware. Registration data used for the purchase of C&C domain names and PE timestamps from collected executables suggest that these attacks date as far back as May 2007.”

The control structure discovered is very complex and extended, more than 60 domain names and several servers hosting located in many countries mainly Germany and Russia. A particularity of the C&C architecture is that the network is arranged to hide the mothership-server true proxy functionality of every node in the malicious structure.

C&C architecture

Security experts were able to sinkhole around 10% of the domains, during the period 2 Nov 2012 – 10 Jan 2013 were registered over 55,000 connections to the sinkhole from 250 different victim’s IPs from 39 different countries,with most of IPs being from Switzerland. Kazakhstan and Greece follow next.

Red October Geo-distribution of victims

 

Which are the vulnerabilities exploited in the attacks?

The security expert discovered that at least three different known vulnerabilities have been exploited

  • CVE-2009-3129 (MS Excel) [attacks dated 2010 and 21011]
  • CVE-2010-3333 (MS Word) [attacks conducted in the summer of 2012]
  • CVE-2012-0158 (MS Word) [attacks conducted in the summer of 2012]

Evidences collected during the investigation, let security specialists to believe that attackers have Russian origins, but strangely they appear unrelated to any other cyber attacks detected until now.

These attacks are structured in two distinct phases according a classic schema of targeted attacks:

  1. Initial infection
  2. Additional modules deployed for intelligence gathering

In the initial phase the malware is delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents), once victims opened the malicious document the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers,  after the malware receives from the C&C server a number of additional spy modules.e-mail as attachments (Microsoft Excel, Word and, probably PDF documents), once victims opened the malicious document the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers,  after the malware receives from the C&C server a number of additional spy modules.

The way to infect the entire network is very efficient, the hackers used a module to scan target infrastructure searching for vulnerable machines.

“The main malware body acts as a point of entry into the system which can later download modules used for lateral movement. After initial infection, the malware won’t propagate by itself – typically, the attackers would gather information about the network for a few days, identify key systems and then deploy modules which can compromise other computers in the network, for instance by using the MS08-067 exploit.”

The attacks against each machine and related services is made exploiting the above vulnerabilities or gaining access to it using credentials collected during other attacks of the same campaign. The exploits appear to have been created by Chinese hackers.

Once again the group of Kaspersky has identified a campaign of cyber espionage, excellent analytical work to tight deadlines.
What alarms me is that such campaigns could be going on for years with disastrous consequences … what to do at this point? … what to do at this point? What to do at this point?

How is it possible that an operation so extended escape for so long to worldwide security community?

Who is behind the attacks? Cyber criminals or state-sponsored hackers?

Will we be forced to ban the use of our computers in critical sector such as diplomatic?

Pierluigi Paganini

UPDATE  2013/01/15

Jeffrey Carr, founder and CEO of Taia Global, Inc, posted on his blog

The developers behind ROCRA, who are Russian, are comfortable using Chinese malware and adapting it for their own use according to the Kaspersky report. This fits the RBN profile to a ‘t’. I ran 13 IPs listed in Kaspersky’s report against the RBN list maintained by James McQuade and found matching IP blocks for five of them:

Malicious servers

  • 178.63.208.49  matches to 178.63.

  • 188.40.19.247 matches to 188.40.

  • 78.46.173.15 matches to 78.46.

  • 88.198.30.44 matches to 88.198.

Mini-motherships

  • 91.226.31.40 matches to 91.226.

It has been my belief for many years that the RBN has a working relationship with the Russian government; that it disappeared from view when the FBI sought the assistance of the FSB to shut down their operations in 2007 (as detailed in chapter 8 of my book); and that it has continued operating below the radar all this time. It provides distance and deniability to the FSB for certain offensive cyber operations and, in exchange, the FSB allows the RBN to operate as a criminal enterprise; a portion of which involves selling the data that it steals to whomever is interested.Red October is already the most significant find of the new year. If, in fact, Kaspersky has uncovered an RBN-controlled espionage ring, it’s going to be one of the most important discoveries of the decade.

 
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Red October, cyberespionage)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment